It has been some time that I posted about the Cuckoo Sandbox. Good news is that the guys at the Cuckoo Foundation are not silent and have released the Cuckoo Sandbox 2.0.7, with lots of improvements, code cleanup, support for VirtualBox 6 and the well deserved support for the MITRE ATT&CK TTP detection.
What is Cuckoo Sandbox?
Cuckoo Sandbox is an advanced, extremely modular, and 100% open source automated malware analysis system, that helps you analyze any malicious file under Windows, macOS, Linux, and Android operating systems. It helps you to:
1. Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments.
2. Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
3. Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
4. Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.
Cuckoo 2.0.7 Changelog:
This release mostly consists of small code changes meant to increase the stability of Cuckoo. These include:
- Vulnerability warnings: For some time now when Cuckoo starts, it checks if it has the latest version. This check now includes the ability to tell a Cuckoo setup that an installed VirtualBox or Python dependency version contains vulnerabilities. Cuckoo will abort startup and warn the user if any of vulnerable libraries or other software components are installed and used.
You can choose to ignore this warning by disabling the check entirely by setting
ignore_vulnerabilities = yesunder the
[cuckoo]section in the
- A new result server: A completely rewritten and less CPU-intensive result server has been designed, resulting in fewer memory & performance issues when running Cuckoo for an extended period or while performing a large number of analyses.
- Whitelisting: Cuckoo now allows for the whitelisting of IPs and domains, which enables you to, for example, filter out HTTP requests to a specific IP. There are also separate whitelists for the MISP reporting module, allowing you to keep the results in the reports, but not report them to MISP.
The whitelist files can be found at
- Signature TTPs: Support for adding TTP identifiers to signatures has been added. These identifiers are linked to specific descriptions that will be included in the full Cuckoo report. They are not displayed on the web interface (yet). Multiple Cuckoo signatures have been updated to include TTPs. This is a signature example.
- General improvements: Cuckoo Sandbox 2.0.7 and supporting processes should now perform more reliably cleanups when they are stopped. There have been heaps of smaller unmentioned changes, all aimed at cleaning up the code base, improving stability, reducing unexpected behavior, as well as support for using VirtualBox 6.
Among those changes, the following community contributions were merged:#2713, #2706, #2726, #2679, #2176, #2426, #2365, #2001, #2738,#2741, and #2617.
Download Cuckoo Sandbox 2.0.7:
Electron is a pretty recent framework for building desktop applications and there are not many tools that deal with the security part either. There is a electronjs security checklist, providing guidelines for building secure applications, but there is no tool per-se – atleast none I know of! Electronegativity changes this. This post describes the open source